Method for Using and Maintaining User Data Stored on a Smart Card

1. A method for maintaining and using user data stored on a smart card, including: receiving an indication from a user that a terminal is to be configured as a home terminal for a smart card, including issuing by the terminal, a query to the user requesting an indication that the terminal should be made the home terminal, and receiving at the terminal from the user, the indication that the terminal should be made the home terminal; communicating, from the smart card to the terminal, an encrypted key, for use in configuring the terminal as the home terminal; receiving the encrypted key at the terminal, and persistently storing the encrypted key at a location accessible to the terminal, so as to configure the terminal as the home terminal with respect to the smart card; subsequently receiving by the home terminal a data maintenance request which includes a password, using the password and the encrypted key to form an authenticated data maintenance request and forwarding the authenticated data maintenance request to the smart card; subsequently receiving, by the smart card from the terminal, said authenticated data maintenance request, wherein the authenticated data maintenance request is a request to modify data on the smart card, by the end-user of the smart card, and included with the data maintenance request, is information derived from the encrypted key persistently stored at the location accessible to the terminal, which indicates that the authenticated data maintenance request originates from the home terminal; determining, by said smart card, whether said authenticated data maintenance request was received from the home terminal and whether the end-user is an authorized end-user of the smart card; and authorizing, by said smart card, said authenticated data maintenance request only if said authenticated data maintenance request was received from said home terminal and from said authorized end-user.

2. The method of claim 1 wherein said determining, by said smart card, whether said authenticated data maintenance request was received from the home terminal, includes a cryptographic terminal recognition interaction.

3. The method of claim 1 further comprising: configuring in an impersistent memory one or more current session data rights flags indicating said authorized end-user's access rights.

4. The method of claim 1 , wherein the home terminal is configured to, in response to receiving a data maintenance request which includes a password, use the password to decrypt the encrypted key and form a decrypted key, and use the decrypted key to form said authenticated data maintenance request.

5. A method for using and maintaining user data stored on a smart card including: receiving an indication from a user of the smartcard that a terminal is to be configured as a home terminal for a smart card, including issuing by the terminal, a query to the user requesting an indication that the terminal should be made the home terminal, and receiving at the terminal from the user, the indication that the terminal should be made the home terminal; communicating, from the smart card to the terminal, an encrypted key, for use in configuring the terminal as the home terminal; receiving the encrypted key at the terminal, and persistently storing the encrypted at a location accessible to the terminal, so as to configure the terminal as the home terminal with respect to the smart card; subsequently receiving by the home terminal a data maintenance request which includes a password, using the password and the encrypted key to form an authenticated data maintenance request, and forwarding the authenticated data maintenance request to the smart card; subsequently receiving, on said smart card, said authenticated data maintenance request, wherein authenticated data maintenance request is a request, by the user of the smart card, to modify the user data stored on said smart card and, included with the authenticated data maintenance request, is information derived from the password and the encrypted key stored at the location accessible to the terminal, which indicates that the data maintenance request originates from the home terminal; using a first process to determine whether to allow said authenticated data maintenance request from the user of the smart card, wherein said first process allows the authenticated data maintenance request upon a predetermined comparison being true so that the user of the smart card performs, on the smart card, data maintenance on the user data stored on the smart card; authorizing, by said smart card, said authenticated data maintenance request only if said authenticated data maintenance request was received from said home terminal.

6. The method of claim 5 wherein said authenticated data maintenance request includes said password and further wherein, said first process comprises: comparing said password with a passphrase stored on said smart card; and allowing said authenticated data maintenance request upon said password matching said passphrase.

7. The method of claim 5 wherein said authenticated data maintenance request includes said password and a static identifier derived from said encrypted key, wherein said static identifier comprises an identifier associated with a home terminal and said identifier does not change with each data maintenance request received by said smart card from said home terminal, and further wherein, said first process comprises: comparing said password with a passphrase stored on said smart card; comparing said static identifier with a stored static identifier on said smart card.

8. The method of claim 7 wherein said stored static identifier is stored in a list of static identifiers stored on said smart card.

9. The method of claim 5 wherein said data request includes a data maintenance request, a passphrase and a dynamic identifier wherein said dynamic identifier comprises an identifier associated with a home terminal and said identifier is different in each data maintenance request received by said smart card from said home terminal, and further wherein, said first process comprises: comparing said passphrase with a passphrase stored on said smart card; comparing said dynamic identifier with a dynamic identifier on said smart card.

10. The method of claim 9 wherein said dynamic identifier comprises a nonce.

11. The method of claim 9 wherein said dynamic identifier comprises a next identifier generated using an end identifier and a last identifier in a one way function.

12. The method of claim 5 wherein said authenticated data maintenance request includes a static identifier derived from said encrypted key, wherein said static identifier comprises an identifier associated with a home terminal and said identifier does not change with each data maintenance request received by said smart card from said home terminal, and further wherein, said first process comprises: using a key stored on said smart card to verify said authenticated data maintenance request; comparing said static identifier with a stored static identifier on said smart card.

13. The method of claim 12 wherein said stored static identifier is stored in a list of static identifiers stored on said smart card.

14. The method of claim 5 wherein said first process further comprises: generating a next key using an end key and a last key in a one-way function; using said next key to verify said authenticated data maintenance request.

15. The method of claim 5 wherein said authenticated data maintenance request further includes a dynamic identifier wherein said dynamic identifier comprises an identifier associated with a home terminal and said identifier is different in each data maintenance request received by said smart card from said home terminal during a session, and further wherein, said first process comprises: generating a next key using an end key and a last key in a one-way function; using said next key to verify said authenticated data maintenance request; comparing said dynamic identifier with a dynamic identifier on said smart card.

16. The method of claim 15 wherein said dynamic identifier comprises a nonce.

17. The method of claim 5 wherein said authenticated data maintenance request includes a dynamic identifier and a passphrase wherein said dynamic identifier comprises an identifier associated with a home terminal and said identifier is different in each data maintenance request received by said smart card from said home terminal during a session, and further wherein, said first process further comprises: generating a next key using an end key and a last key in a one-way function; using said next key to verify said authenticated data maintenance request; comparing said dynamic identifier with a dynamic identifier on said smart card; comparing said passphrase with a passphrase stored on said smart card.

18. The method of claim 5 , wherein the home terminal is configured to, in response to receiving a data maintenance request which includes a password, use the password to decrypt the encrypted key and form a decrypted key, and use the decrypted key to form said authenticated data maintenance request.

19. A computer program product comprising a tangible computer readable storage medium having embodied therein computer program instructions for a method comprising: receiving an indication from a user of a smart card that a terminal is to be configured as a home terminal for the smart card, including issuing by the terminal, a query to the user requesting an indication that the terminal should be made the home terminal, and receiving at the terminal from the user, the indication that the terminal should be made the home terminal; communicating, from the smart card to the terminal, an encrypted key, for use in configuring the terminal as the home terminal; receiving the encrypted key at the terminal, and persistently storing the encrypted key at a location accessible to the terminal, so as to configure the terminal as the home terminal with respect to the smart card; subsequently receiving by the home terminal a data maintenance request which includes a password, using the password and the encrypted key to form an authenticated data maintenance request and forwarding the authenticated data maintenance request to the smart card; subsequently receiving, on said smart card, said authenticated data maintenance request, wherein said authenticated data maintenance request is a request, by the user of the smart card, to modify user data relating to an individual user of the smart card stored on said smart card and, included with the authenticated data maintenance request is information derived from the encrypted key persistently stored at the location accessible to the terminal, which indicates that the authenticated data maintenance request originates from the home terminal; using a first process to determine whether to allow said authenticated data maintenance request, wherein said first process allows the authenticated data maintenance request upon a predetermined comparison being true so that the user of the smart card performs, on the smart card, data maintenance on the user data stored on the smart card; and authorizing, by said smart card, said authenticated data maintenance request only if said authenticated data maintenance request was received from said home terminal.

20. The computer program product of claim 19 , wherein the home terminal is configured to, in response to receiving a data maintenance request which includes a password, use the password to decrypt the encrypted key and form a decrypted key, use the decrypted key to form said authenticated data maintenance request.